Researchers at cybersecurity firm Bitdefender claim to have found serious vulnerabilities in widely used solar power systems, potentially enabling attackers to cause disruption and blackouts.
The researchers analyzed photovoltaic system management platforms provided by Chinese companies Solarman and Deye, which, according to Bitdefender, are used to operate millions of solar installations worldwide, generating 195 GW, or roughly 20% of the global solar power production.
The security holes were found in the products of two companies, but their solutions are interconnected. Solarman develops solar management and monitoring solutions and Deye provides inverters, the component that converts DC electricity to AC and synchronizes the output with the power grid.
“As far as we are able to tell, Deye has been using the original Solarman infrastructure up until 2024, but they have customized their implementation and spun off a new datacenter to accommodate their own user base,” Bitdefender explained.
Details were disclosed by Bitdefender on Tuesday in separate papers documenting the Solarman and Deye vulnerabilities, as well as in a blog post titled ‘60 Hurts per Second – How We Got Access to Enough Solar Power to Run the United States’.
The researchers discovered vulnerabilities that could have been exploited to take full control of any account on the Solarman platform, enabling attackers to modify parameters and manipulate inverters.
Other flaws could have been exploited to gain access to sensitive data, including personal information and location data for solar installations.
According to Bitdefender, exploitation of these vulnerabilities could have led to the disruption of power generation or voltage fluctuations, the exposure of sensitive information about users and organizations, and to cause disruptions that could lead to grid instability or blackouts.
Bitdefender said it reported its findings to Solarman and Deye in May and patches were deployed in the summer.
SecurityWeek has reached out to Solarman for comment and will update this article if the company responds.
“Integrating solar power into the grid offers immense benefits, but it also introduces attack surfaces that equipment makers must take into account. The security flaws found in the Deye and Solarman platforms highlight the need for robust cybersecurity in managing solar energy systems, as well as in general IoT setups,” Bitdefender said.
Related: Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks
Related: Research Shows How Solar Energy Installations Can Be Abused by Hackers
